The 2009 HITECH Act mandated that the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) conduct periodic audits of covered entities and business associates for compliance with HIPAA privacy and security requirements. In 2012, OCR conducted a pilot audit program involving 115 covered entities. In February 2014, the agency issued a notice in the Federal Register announcing its plan to survey up to 1,200 covered entities and business associates to select organizations for the next round of HIPAA audits. Continue Reading
On August 27, 2014, the National Institutes of Health (NIH) issued a new Genomic Data Sharing (GDS) Policy, which replaces the current genome-wide association study (GWAS) data policy that was instituted in 2007. The GDS Policy applies to all NIH-funded research that generates large-scale human or non-human genomic data as well as the use of that data for subsequent research. As discussed below, the Policy promotes the use of broad informed consent for future study and sharing. Continue Reading
The “Right to be Forgotten” ruling issued by the European Court of Justice in May 2014 has been a key source of controversy this summer. Much criticism has explored the impact of the ruling on freedom of expression and the right of access to information. In an article published in the Privacy and Data Protection Journal, Eduardo Ustaran, Partner in Hogan Lovells’ Global Privacy and Information Management Practice, unpacks the wider implications of the ruling to focus on key legal-applicability considerations for businesses with subsidiaries in the EU. The article also considers how the ruling will impact legislative debate on the forthcoming EU Data Protection Regulation.
To Read “The Wider Effects of the ‘Right to be Forgotten’ Case,” click here.
Hogan Lovells Privacy and Information Management lawyer Jared Bomberg makes a novel proposal regarding federal data security and breach notification legislation in his opinion piece in The Hill. Bomberg suggests “making federal rules for data security and breach notification voluntary, opt-in standards enforceable by the FTC, instead of mandatory rules that remove all companies from the state system.” Continue Reading
Ask any data protection officer or privacy counsel what tops their list of trepidations and engaging global data services’ vendors will be up there. The combination of security threats and burdens, restrictions on international data transfers and data-hungry law enforcement authorities has turned delegating any data processing or storage operations to cloud service providers into an unnerving proposition. This is unfortunate given all the practical benefits and crucial role of cloud computing for the world’s economy and the information society. If we add to this the incessant scrutiny of Safe Harbor and the growing distrust surrounding technology giants which is part of the legacy of the post-Snowden era, things are not looking very rosy for the global guardians of our information. It needs not be this way. Continue Reading
Writing for Expert Guide: Competition and Antitrust Law, Hogan Lovells attorneys Dean Hansell and Charles Dickinson discuss the FTC’s current consumer protection initiatives and identify emerging areas of focus of the agency’s regulatory initiatives. Hansell and Dickinson also expect that the FTC may be “more willing to push enforcement initiatives” with its current roster of Commissioners and offer that “companies of all sizes would be well-served to understand how their businesses might fall under the FTC’s radar.”
To read “Current FTC Enforcement Initiative in the Consumer Protection Arena,” click here.
Six months after release of the Framework for Improving Critical Infrastructure Cybersecurity (Framework), on August 21 the National Institute of Standards and Technology (NIST) put forward a draft Request For Information (RFI) to learn more about experiences with and effectiveness of the Framework. Through the RFI process, NIST seeks to better understand how organizations in all critical infrastructure sectors are approaching and making specific use of the Framework. Responses to the RFI are expected to shape the agenda for NIST’s 6th Cybersecurity Framework Workshop, its first following the Framework’s release. Continue Reading
This week, the National Institute of Standards and Technology (NIST) convened the first face-to-face meeting of the cyber-physical systems public working group (CPS PWG) to develop and implement a new cybersecurity framework dedicated to cyber-physical systems (CPS), also known as the “Internet of Things.” Companies developing products and services involving CPS may consider participating in the CPS PWG, as participation in webinars and meetings is open and intended to be convenient. The group’s efforts may affect the legal landscape developing around CPS. Continue Reading
On July 31, a U.S. District Court judge ruled from the bench that Microsoft could be forced to turn over customer emails in the context of a law enforcement investigation even though those emails were stored on servers located in Ireland. Microsoft had contested the government’s request, arguing that the data was subject to Irish law and that the U.S. government was required to utilize law enforcement treaty channels to obtain the data. Microsoft has appealed the ruling, which now will be heard by the Second Circuit court of appeals.
Since the ruling, I have had a number of conversations, mostly with lawyers located outside of the U.S., expressing surprise that the ruling gave such seemingly expansive jurisdiction to the U.S. government. But it shouldn’t come as a surprise to those who follow these issues, including readers of Hogan Lovells’ white papers on government access, that U.S. law enforcement can compel companies subject to its jurisdiction to produce data stored abroad, and that many other countries’ governments provide the exact same authority.
The dust has yet to settle but much has already been said about the implications of the Google Spain decision by the Court of Justice of the European Union (CJEU) and the right to be forgotten. The controversy has focused on the impact of this judgment on freedom of expression and the right of access to information, as well as the potentially devastating effect of a large amount of deletion requests. EU regulators are wondering – like everybody else – how big and unmanageable this is going to get, whilst search engines scramble for resources to deal with the unknown. With the prospect of an even more demanding EU privacy framework looming over the horizon, the right to be forgotten decision is a potential game changer for the whole Internet industry. But the CJEU did not just enable an unprecedented level of control by individuals over their data, it shook the basis on which the applicability of EU data protection law has been understood until now. Continue Reading